Skip to content

Security audit β€” 2026-06-20#69

Open
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-20
Open

Security audit β€” 2026-06-20#69
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-20

Conversation

@versila22

Copy link
Copy Markdown
Owner

Pentest mini-report β€” versila22/lima-app β€” 2026-06-20

Probed URL: https://limaimpro.duckdns.org/
Stack: React 18 + Vite 7 SPA / npm / PWA=yes (vite-plugin-pwa, Workbox NetworkFirst for API)
Counts: Critical=1 High=4 Medium=1 Low=3 Info=0

Note: deployed URL returned 403 from audit host (network policy). DAST headers verified from nginx.conf source. TLS checked via openssl (TLS 1.0/1.1 disabled, TLS 1.2+1.3 enabled).

Findings

Sev Cat Title Location
Critical Dep vitest: arbitrary file read+exec via UI server package.json β†’ vitest (dev)
High Dep serialize-javascript: RCE via RegExp.flags package.json β†’ workbox-build β†’ serialize-javascript (dev)
High Dep fast-uri: path traversal via %2E segments package.json β†’ vite β†’ fast-uri (dev)
High Dep undici: TLS cert bypass via SOCKS5 requestTls drop package.json β†’ vite β†’ undici (dev)
High Dep vite: NTLMv2 hash disclosure via UNC path (Windows) package.json β†’ vite (dev)
Medium Dep react-router-dom: open redirect via //-prefixed path package.json β†’ react-router-dom ^6.30.1 (runtime)
Low DAST CSP style-src unsafe-inline nginx.conf:10
Low SAST api.ts.orig committed β€” historical localStorage token pattern src/lib/api.ts.orig
Low SAST api_upload.patch committed β€” stale patch artifact src/lib/api_upload.patch

Top 3 fixes

  1. react-router-dom open redirect β€” npm update react-router-dom to a patched release
  2. Dev dep chain (Critical/High) β€” npm update vitest vite workbox-build; verify overrides in package.json resolve correctly
  3. Stale artifacts β€” git rm src/lib/api.ts.orig src/lib/api_upload.patch

Verified safe

  • No hardcoded secrets; JWT migrated from localStorage β†’ sessionStorage; no VAPID in client
  • Backend CORS: explicit allow_origins, never wildcard; security headers middleware comprehensive
  • Nginx CSP: script-src 'self' (no unsafe-inline/eval for scripts); HSTS + X-Frame-Options: DENY set
  • TLS 1.0/1.1 disabled; dangerouslySetInnerHTML in chart.tsx uses developer-controlled CSS only
  • No postMessage, no prototype pollution surface

Needs server-side verification

  • Live response headers on limaimpro.duckdns.org (CSP, HSTS, nosniff)
  • Cookie flags on Railway auth cookies; CORS reflection on live API; exposed-path check (.env, .git)

Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant